Re: REST API - Create URL connection (Permission Denied)
On Fri, Feb 9, 2024 at 6:46 AM i.no...@wp.pl wrote:
> Hello,
>
> I've installed Apache Guacamole v.1.5.4 on Linux CentOS 8.5 - I'm able to
> login to GUI, create users, connection, etc.
> I installed database (MySQL) as well (to manage users, connection) with
> all needed *.jar files according to doc
> https://guacamole.apache.org/doc/gug/jdbc-auth.html
>
> After that, I'm able to login as ""guacadmin" user to GUI and manage
> connections etc.
>
> Now, I want to create URL to direct connection to my VM, but I found
> errors like below:
>
> -- SCRIPT
> -
> #!/bin/bash
>
> TOKEN=$(curl -s -X POST -H "Content-Type:
> application/x-www-form-urlencoded" -d
> "username=guacadmin=guacadmin"
> http://localhost:8080/guacamole/api/tokens | jq -r '.authToken')
>
> # Endpoint API Guacamole
> API_ENDPOINT="
> http://localhost:8080/guacamole/api/session/data/mysql/connections;
>
> CONNECTION_DATA='{
> "name": "Connection name",
> "protocol": "rdp",
> "parameters": {
> "hostname": "10.194.53.45",
> "port": "3389",
> "username": "user",
> "password": "password"
> }
> }'
>
> RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" -H
> "Authorization: Bearer $TOKEN" -d "$CONNECTION_DATA" $API_ENDPOINT)
>
>
I don't think you're using the correct header, here for the Guacamole
authentication token - you should be passing a header called
"Guacamole-Token" with the Guacamole authorization token. Guacamole does
not generally use the "Authorization" header.
> CONNECTION_ID=$(echo $RESPONSE | jq -r '.identifier')
>
> if [ "$CONNECTION_ID" != "null" ]; then
> URL="
> http://localhost:8080/guacamole/#/client/$CONNECTION_ID?token=$TOKEN;
> echo "Connection ID: $CONNECTION_ID"
> echo "URL: $URL"
> else
> echo "Error creating connection."
> fi
>
>
Two issues, here:
* We've removed the ?token= parameter in recent versions in favor of a
model that prefers/uses a header, instead, so you should leave off the
token= part of this.
* Your path for the connection (/client/$CONNECTION_ID) won't work - the
client identifier is not the same as the connection ID, but is, instead, a
base 64 encoding of the type of connection (connection or connection
group), the data source (pgsql, mysql, etc.), and the connection
identifier. See:
https://github.com/apache/guacamole-client/blob/22fe53fde50fd139cb86091912e1ae50d348add8/guacamole/src/main/frontend/src/app/navigation/types/ClientIdentifier.js#L40-L71
-Nick
>
REST API - Create URL connection (Permission Denied) - version 1.5.4
Hello, Ive installed Apache Guacamole v.1.5.4 on Linux CentOS 8.5 -
Im able to login to GUI, create users, connection, etc. I installed
database (MySQL) as well (to manage users, connection) with all needed *.jar
files according to doc guacamole.apache.org
https://guacamole.apache.org/doc/gug/jdbc-auth.html After that, Im able
to login as guacadmin user to GUI and manage connections etc.
Now, I want to create URL to direct connection to my VM, but I found errors
like below: -- SCRIPT
- #!/bin/bash TOKEN=$(curl -s -X POST -H
Content-Type: application/x-www-form-urlencoded -d
username=guacadminpassword=guacadmin localhost:8080
http://localhost:8080/guacamole/api/tokens | jq -r .authToken) #
Endpoint API Guacamole API_ENDPOINT= localhost:8080
http://localhost:8080/guacamole/api/session/data/mysql/connections
CONNECTION_DATA={ name: Connection name,
protocol: rdp, parameters: {
hostname: 10.194.53.45, port:
3389, username: user,
password: password } } RESPONSE=$(curl -s -X
POST -H Content-Type: application/json -H Authorization: Bearer
$TOKEN -d $CONNECTION_DATA $API_ENDPOINT) CONNECTION_ID=$(echo
$RESPONSE | jq -r .identifier) if [ $CONNECTION_ID !=
null ]; then URL= localhost:8080
http://localhost:8080/guacamole/#/client/$CONNECTION_ID?token=$TOKEN
echo Connection ID: $CONNECTION_ID echo URL: $URL else
echo Error creating connection. fi
-- OUTPUT
Response: {message:Permission
Denied.,translatableMessage:{key:APP.TEXT_UNTRANSLATED,variables:{MESSAGE:Permission
Denied.}},statusCode:null,expected:null,type:PERMISSION_DENIED}
Error creating connection. -- OUTPUT END
--- -- L O G S
-- Apache Tomcat system messages:
0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] GET
/guacamole/api/session/data/mysql/users/self HTTP/1.1 403 192
0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] GET
/guacamole/api/session/data/mysql/users/self HTTP/1.1 403 192Feb 9
12:32:36 server[90877]: 12:32:36.207 [http-nio-8080-exec-7] DEBUG
o.a.i.t.jdbc.JdbcTransaction - Committing JDBC Connection
[com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]:
12:32:36.212 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Resetting autocommit to true on JDBC Connection
[com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]:
12:32:36.213 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9
12:32:36 server[90877]: 12:32:36.213 [http-nio-8080-exec-7] DEBUG
o.a.i.d.pooled.PooledDataSource - Testing connection 2090722754 ... Feb 9
12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG
o.a.i.d.pooled.PooledDataSource - Connection 2090722754 is GOOD! Feb 9
12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG
o.a.i.d.pooled.PooledDataSource - Returned connection 2090722754 to pool. Feb
9 12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG
o.a.g.r.auth.AuthenticationService - Login was successful for user
guacadmin. Feb 9 12:32:36 server[90877]: 12:32:36.230
[http-nio-8080-exec-8] DEBUG o.a.g.rest.RESTExceptionMapper - Client request
rejected: Permission Denied. -- L O G S END
-- MESSAGE: DEBUG
o.a.g.rest.RESTExceptionMapper - Client request rejected: Permission Denied.
-- DATABASE INFO (Permission)
mysql SELECT * FROM guacamole_entity JOIN guacamole_user_permission ON
guacamole_entity.entity_id = guacamole_user_permission.entity_id WHERE
guacamole_entity.name = guacadmin;
+---+---+--+---+--++ |
entity_id | name | type | entity_id | affected_user_id | permission |
+---+---+--+---+--++ |
1 | guacadmin | USER | 1 | 1 | READ | |
1 | guacadmin | USER | 1 | 1 | UPDATE | |
1 | guacadmin | USER | 1 | 1 | ADMINISTER | |
1 | guacadmin | USER | 1 | 2 | READ | |
1 | guacadmin | USER | 1 | 2 | UPDATE | | 1
| guacadmin | USER | 1 | 2 | DELETE | | 1 |
guacadmin | USER | 1 | 2 | ADMINISTER |
+---+---+--+---+--++
I want to be able to dynamically create a URL after clicking on it, which will
open the VM window in browser (without having
REST API - Create URL connection (Permission Denied)
Hello, Ive installed Apache Guacamole v.1.5.4 on Linux CentOS 8.5 -
Im able to login to GUI, create users, connection, etc. I installed
database (MySQL) as well (to manage users, connection) with all needed *.jar
files according to doc guacamole.apache.org
https://guacamole.apache.org/doc/gug/jdbc-auth.html After that, Im able
to login as guacadmin user to GUI and manage connections etc.
Now, I want to create URL to direct connection to my VM, but I found errors
like below: -- SCRIPT
- #!/bin/bashTOKEN=$(curl -s -X POST
-H Content-Type: application/x-www-form-urlencoded -d
username=guacadminpassword=guacadmin localhost:8080
http://localhost:8080/guacamole/api/tokens | jq -r .authToken) #
Endpoint API Guacamole API_ENDPOINT= localhost:8080
http://localhost:8080/guacamole/api/session/data/mysql/connections
CONNECTION_DATA={ name: Connection name,
protocol: rdp, parameters: {
hostname: 10.194.53.45, port:
3389, username: user,
password: password } } RESPONSE=$(curl -s -X
POST -H Content-Type: application/json -H Authorization: Bearer
$TOKEN -d $CONNECTION_DATA $API_ENDPOINT) CONNECTION_ID=$(echo
$RESPONSE | jq -r .identifier) if [ $CONNECTION_ID !=
null ]; then URL= localhost:8080
http://localhost:8080/guacamole/#/client/$CONNECTION_ID?token=$TOKEN
echo Connection ID: $CONNECTION_ID echo URL: $URL else
echo Error creating connection. fi
-- OUTPUT
Response: {message:Permission
Denied.,translatableMessage:{key:APP.TEXT_UNTRANSLATED,variables:{MESSAGE:Permission
Denied.}},statusCode:null,expected:null,type:PERMISSION_DENIED}
Error creating connection. -- OUTPUT END
--- -- L O G S
-- Apache Tomcat system messages:
0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] GET
/guacamole/api/session/data/mysql/users/self HTTP/1.1 403 192
0:0:0:0:0:0:0:1 - - [09/Feb/2024:12:32:36 +0100] GET
/guacamole/api/session/data/mysql/users/self HTTP/1.1 403 192Feb 9
12:32:36 server[90877]: 12:32:36.207 [http-nio-8080-exec-7] DEBUG
o.a.i.t.jdbc.JdbcTransaction - Committing JDBC Connection
[com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]:
12:32:36.212 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Resetting autocommit to true on JDBC Connection
[com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9 12:32:36 server[90877]:
12:32:36.213 [http-nio-8080-exec-7] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@7c9de5c2] Feb 9
12:32:36 server[90877]: 12:32:36.213 [http-nio-8080-exec-7] DEBUG
o.a.i.d.pooled.PooledDataSource - Testing connection 2090722754 ... Feb 9
12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG
o.a.i.d.pooled.PooledDataSource - Connection 2090722754 is GOOD! Feb 9
12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG
o.a.i.d.pooled.PooledDataSource - Returned connection 2090722754 to pool. Feb
9 12:32:36 server[90877]: 12:32:36.214 [http-nio-8080-exec-7] DEBUG
o.a.g.r.auth.AuthenticationService - Login was successful for user
guacadmin. Feb 9 12:32:36 server[90877]: 12:32:36.230
[http-nio-8080-exec-8] DEBUG o.a.g.rest.RESTExceptionMapper - Client request
rejected: Permission Denied. -- L O G S END
-- MESSAGE: DEBUG
o.a.g.rest.RESTExceptionMapper - Client request rejected: Permission Denied.
-- DATABASE INFO (Permission)
mysql SELECT * FROM guacamole_entity JOIN guacamole_user_permission ON
guacamole_entity.entity_id = guacamole_user_permission.entity_id WHERE
guacamole_entity.name = guacadmin;
+---+---+--+---+--++ |
entity_id | name | type | entity_id | affected_user_id | permission |
+---+---+--+---+--++ |
1 | guacadmin | USER | 1 | 1 | READ | |
1 | guacadmin | USER | 1 | 1 | UPDATE | |
1 | guacadmin | USER | 1 | 1 | ADMINISTER | |
1 | guacadmin | USER | 1 | 2 | READ | |
1 | guacadmin | USER | 1 | 2 | UPDATE | | 1
| guacadmin | USER | 1 | 2 | DELETE | | 1 |
guacadmin | USER | 1 | 2 | ADMINISTER |
+---+---+--+---+--++
I want to be able to dynamically create a URL after clicking on it, which will
open the VM window in browser (without
Aw: Re: Re: Major bug message log in guacd 1.5.4
Hi everyone, I proceeded as Antoine proposed and set "ARG ALPINE_BASE_IMAGE=3.18" in staging/1.5.5 Dockerfile. The build worked and I was able to start the guacd container from this image. I tried more than 100 consecutive reconnects to an RDP session without the issue appearing. So, it looks good to me. Can anyone confirm? Infos on my docker-host: NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" Kernel 5.15.0-92-generic Docker version 25.0.3, build 4debf41 Thanks to everyone working on this. Best wishes Michael Gesendet: Freitag, 09. Februar 2024 um 09:00 Uhr Von: "Antoine Besnier" An: "user@guacamole.apache.org" Betreff: Re: Aw: Re: Major bug message log in guacd 1.5.4 Hi, On Alpine, openssl1.1-compat-dev is available for 3.17, 3.18 and Edge, but not 3.19 (which is the version for the 'latest' tag). You could try by changing the version of Alpine. Cheers Antoine Le vendredi 9 février 2024 à 07:35:42 UTC+1, michael böhm a écrit : Hi everyone I'd gladly test in our environment. However, the docker build does not work for me: /tmp/guacamole-server ‹staging/1.5.5› » git checkout staging/1.5.5 1 ↵ Switched to branch 'staging/1.5.5' Your branch is up to date with 'origin/staging/1.5.5'. /tmp/guacamole-server ‹staging/1.5.5› » docker build -t guac_test . [+] Building 0.9s (6/13) docker:default => [internal] load build definition from Dockerfile 0.0s => => transferring dockerfile: 6.10kB 0.0s => [internal] load metadata for docker.io/library/alpine:latest 0.0s => [internal] load .dockerignore 0.0s => => transferring context: 681B 0.0s => CACHED [builder 1/5] FROM docker.io/library/alpine:latest 0.0s => [internal] load build context 0.0s => => transferring context: 28.84kB 0.0s => ERROR [builder 2/5] RUN apk add --no-cache autoconf automake build-base cairo-dev cmake git 0.8s -- > [builder 2/5] RUN apk add --no-cache autoconf automake build-base
Re: Aw: Re: Major bug message log in guacd 1.5.4
Hi, On Alpine, openssl1.1-compat-dev is available for 3.17, 3.18 and Edge, but not 3.19 (which is the version for the 'latest' tag). You could try by changing the version of Alpine. CheersAntoine Le vendredi 9 février 2024 à 07:35:42 UTC+1, michael böhm a écrit : Hi everyone I'd gladly test in our environment. However, the docker build does not work for me: /tmp/guacamole-server ‹staging/1.5.5› » git checkout staging/1.5.5 1 ↵ Switched to branch 'staging/1.5.5' Your branch is up to date with 'origin/staging/1.5.5'. /tmp/guacamole-server ‹staging/1.5.5› » docker build -t guac_test . [+] Building 0.9s (6/13) docker:default => [internal] load build definition from Dockerfile 0.0s => => transferring dockerfile: 6.10kB 0.0s => [internal] load metadata for docker.io/library/alpine:latest 0.0s => [internal] load .dockerignore 0.0s => => transferring context: 681B 0.0s => CACHED [builder 1/5] FROM docker.io/library/alpine:latest 0.0s => [internal] load build context 0.0s => => transferring context: 28.84kB 0.0s => ERROR [builder 2/5] RUN apk add --no-cache autoconf automake build-base cairo-dev cmake git 0.8s -- > [builder 2/5] RUN apk add --no-cache autoconf automake build-base cairo-dev cmake git grep libjpeg-turbo-dev libpng-dev libtool libwebp-dev make openssl1.1-compat-dev pango-dev pulseaudio-dev util-linux-dev: 0.285 fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz 0.475 fetch
